This afternoon, I was pointed to an announcement made by Big Jack in the PinoyFootball group. He said, among other things, that the website had been hacked and therefore was suspended— presumably by the web hosting service. I would just like to shed some light into that.
First, even if I am no longer involved with the website, I still care about it. I've put so much time in that website and still consider it as one of my flagship projects. So when I heard about it being hacked, I was alarmed! Second, I have trust issues with a couple of people— not all of them, just to be clear about it— who are still involved with the website.
What I Had Previously Known
(Don't worry about your nose bleeding, this will all become clear as we go along.)
I had already seen the “500: Internal Server Error” page yesterday when Inez and I tried to access PinoyFootball.com. (She just arrived from the States last Monday and we have really not viewed the website, which we worked so hard on, together. So that was part of our re-bonding time.) I just assumed that, because the Content Management System is run by an obscure software library that only a handful of sites use, the new web master— or whoever is now in charge— ran into an error. That's to be expected from anyone, no matter how good a developer he is.
Off the top of my head, I can count three ways by which a section of that specific website can be broken using the CMS: 1) by specifying an inappropriate template for an article; 2) creating an article in the wrong place within a section's documents tree; and 3) removing an article from a database that a section or article template expects to find.
I also know that, by virtue of PinoyFootball.com being an implementation of SaWALi2, generic Uniform Resource Identifiers for articles follow this format (excluding the domain name):
Section_Name/[Year posted][First three letters of the month][Date][First three letters of the day][GMT Hour][Minute][Second]
That means, if I posted an article in the “Fandom” section at the time of this writing, the article's URI would be: Fandom/2011Aug11Thu102640 because, pardon my wordiness, the article was posted in Fandom on Thursday, 11th August 2011 at 16:26:40 GMT+08:00.
What I Know About Hacking Websites
(Before anything, for the sake of correctness, let's replace “hack” with “crack”; because we don't want to insult the likes of Richard M. Stallman, Linus Torvalds, Tim Bernes Lee, and all other true hackers on whose work my livelihood depends on.)
To be honest, not much. But having the experience of getting a couple of my clients' sites defaced, I know that either the host server itself or the CMS has to be vulnerable. Now, while I don't wish to make bold claims about HostGator's (the hosting service) or SaWALI2's toughness in terms of penetrability, my afternoon investigation suggests that there had been no defacement that happened at all.
From experience, one of the files that crackers disable is something called .htaccess. That file basically contains additional instructions on how the server should react/respond when a person accesses the website through her browser, cellphone, etc. Disabling that file (by simply deleting it) ensures that the crackers' “modifications” will be followed. Those modifications typically include uploading new files on the server so that when one accesses it she will see what the crackers want her to see.
Other things to go would be every other .html file in the website's root (or public-access) directory. Sometimes, the crackers will basically delete every other file and folder in that directory except for the things they upload.
Why The Website Wasn't Cracked
None of that happened in PinoyFootball. I know this because the current “Oops! Website services have been disabled...” page, a file called updating.html, is something that I created. It had been in the root directory since February, when the site started operations.
The .htaccess file is also doing its job. As of this writing, it's redirecting all none-file server requests to that updating.html file. This means that if a person types http://www.pinoyfootball.com/some-non-existent-file.html— assuming that file really doesn't exist—, instead of responding with the standard “404 Not Found” message, the server shows her the “Oops!” page. Conversely, when a person types http://www.pinoyfootball.com/img/galleries/news-misc/jeepney-fc-merch.jpg— assuming that the file still exists—, the server is going to show her a photo of Rudy del Rosario and Elmer Bedia wearing the Jeepney FC kit.
Again, I know this because I wrote that .htaccess file; although the standard behaviour would have been for the server to redirect all non-file requests to the SaWALi2 starter script instead of updating.html. Switching from that behaviour to the one previously described would have been as easy as moving a “#” character from one line to another.
Why It Was A User Error
Let me just say that the last article I posted was by Noel S. Villaflor and titled, “Keep Kuwait”. That was posted under Noel's column on Saturday, 23rd July 2011 at around four in the afternoon; and based on my earlier explanation of the SaWALi2 URI format, its link should be http://www.pinoyfootball.com/Columns/2011Jul23Sat081814.
Of course, since the .htaccess file has been modified recently, that page will not be accessible; but that's not the point. The thing is, yesterday: Wednesday, 10th August 2011 at 9:10 AM Philippine Time, somebody created an article titled, “Smart club soccer groups fires off in CDO, Iloilo”, in the Columns section.
The link to this article, http://www.pinoyfootball.com/Columns/2011Aug10Wed011045— like “Keep Kuwait”, is inaccessible. But the evidence that such a file was created can be seen on the sidebars of filipinofootball.blogspot.com, theprawnsandwichbrigade.blogspot.com, futbolpinoy.blogspot.com, sportskibitzer.blogspot.com, and every other website that connects to the old PinoyFootball Columns RSS feed and displays parts of it.
This evidence suggests that indeed, what had caused the “Internal Server Error” page to appear in some of the website's section pages (including the home page), was one or a combination of the three ways by which a content manager (in this case, the user) can break parts of the PinoyFootball website.
Cracked? Not likely. Honest mistake? Probably.
What was not “honest” about this whole thing, though, is the way somebody had tried to cover-up that mistake by blaming it on hackers. Such dishonesty that someone would take advantage of Big Jack's lack of technical ability in computer stuff to wile him into making such an erroneous announcement.
...I really should stop caring about these things. Let this be the last time I write about PinoyFootball then— time to move on.